From: 
Subject: 
Date: 
To: 


data-protection-office@ google.com 

Re: [7-2423000028191] Your Request to Google 
14 November 2019 at 15:08 

johnnyryan1 @gmail.com 

Hello, 

Thank you for contacting us. 


The download your data tool allows you to access your data at anytime, make a copy of it, back itup, or even move it to another 
service. 


Our Privacy Policy helps you understand what information we collect, why we collect it, and how we keep it safe and secure, 
using clear language and descriptive videos. To find out why we collect your personal data please see this section of our Privacy 
Policy. To find out the legal basis on which we process your personal data please see this section of our Privacy Policy. 


We're committed to being clear about what information we collect and how we use it. You can find additional details of our 
commitments in our Privacy policy and Safety Center. You'll also get explanations of the types of information we collect, how it is 
collected, how it is used, when it is shared and your privacy controls. 


If you want to see the majority of your data, sign in to your Google Account to get an overview of the ways you use Google’s 
services, and the data associated with that use. Here are some other actions you can take: 


e Review your basic account information 
e See what data is in your account 
e Review how you share data with third-party apps and sites 


When you sign in to Google products or services, we can verify your right to get data and make sure that info is being shared with 
the right person. To find your account info when you're signed in, go to the top right, select your profile picture or username, and 
then choose Privacy or Google Account. 


If you still need help, fill out this form. This is Google’s formal Article 15 subject access request form. On receipt our teams will 
process to ensure we get you the information you need. 


Regards, 
Google 


On Tue, Oct 15, 2019 at 14:20 UTC lis-noreply@google.com wrote: 
Hello, 
Thanks for contacting us. 
This is an automatic response to let you know that we have received your inquiry and will respond as soon as possible. 
We treat requests via this form seriously and we review them in the order in which they are received. 
Here's some additional help links you may find useful: 


e Help Center 
e Privacy troubleshooter 
e Help forums 





Thank you for your understanding and cooperation. 


Regards, 
Google 


Contact Us Form 

About which Google product are you inquiring? 
Others 

How can we help you? 

Other 

Email address 

johnnyryan1 @gmail.com 

First name 

Johnny 

Last name 

Ryan 

Select your country of residence 

Ireland 

Describe your issue or request, and include as much detail as you can. (750 maximum characters allowed) 
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LEAVE UUWINUaAUGYU Iy Udla WUT CAUUYIE > LUUVI, VUL UNS UYG HULL LOW TG WHat YUU UV WILT UIG Udla, UI WII yUU ISL ALLODD IL. 


Looking at the GDPR, Article 15 says | have the right to know the purposes for which information are processed, and the legal 
basis for each purpose. 


Please send this information. This request concerns all Google services. 
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19-21 Great Tower Street 
Tower Hill 
London, EC3R 5AQ 


T: 020 3909 8100 


F: 020 392 2 
SOLICITORS 3929 333 
DX: 307450 Cheapside 


enquiries@itnsolicitors.com 
www.itnsolicitors.com 


Data Protection Office 
Google 
27 December 2019 


By email: data-protection-office@google.com 


Our ref: RAN/34314 


Dear Sir / Madam 


Dr Johnny Ryan 


1. Weare instructed by Dr Ryan (“our client”) in relation to his Subject Access Request (SAR), 
to Google. 


2. Ourclient is unsatisfied with the response to his SAR he has received from Google to date. 
Accordingly, we are instructed to request a fuller response from Google on the basis that: 


i. The SAR response contained no information as to the purposes of processing. 
ii. Further, the SAR response contained no information as to the lawful bases for the 
purposes of processing. 
ili. The SAR response and the relevant Google policies do not contain sufficient 
information for our client to understand the purposes of processing or the lawful bases 
for processing. As such, Google have not complied with their legal obligations to 


provide meaningful transparency and to act fairly to our client. 


3. We provide further details of these shortcoming below, as well as the remedial steps our 
client requests Google to take. We ask for your reply within 14 days of receipt of this letter. 


Irvine Thanvi Natas Solicitors (ITN Solicitors) are regulated by the Solicitors Regulation Authority - SRA No. 383444. 
Partners: Nadeem Thanvi \ Tayab Ali \ Simon Natas \ Theresa Gerald \ Mitali Zakaria \ Itpal Dhillon \ Lochlinn Parker \ Ravi Naik \ Hilary Doherty 1 
We also have offices at City View House, 1 Dorset Place, London E15 1BZ by appointment only. 
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Background 


Our client initially completed your online “download my data” tool on 7 October 2019, which 
is said by Google to provide a full and complete response to a SAR. Following that SAR, Dr 
Ryan wrote to Google on 15 October 2019 via your online contact form! to address the 
shortcomings in the SAR response he received. Dr Ryan requested “the purposes for which 
information are processed, and the legal basis for each purpose”, information to which he is 
entitled under Article 15 of the General Data Protection Regulation (GDPR). Dr Ryan noted 
at the time that he had already used the “download my data” tool. 


On 14 November 2019, the “data protection office” of Google wrote to our client providing 
generic information about how to use the “download my data” tool and how to use his Google 
account. No information about purposes or lawful bases was provided to our client. On 16 
December 2019, our client filled in the “Data Access Request Form”, requesting to know the 


purposes of processing his data and the lawful basis for each purpose. 


To date, Google have not provided any substantive response to our client’s request for 
information on purposes or lawful bases. No response was provided at all to our client’s 


request made on 16 December 2019. 


Purpose and lawful basis 


When Dr Ryan contacted Google about his SAR, he expressly requested information about 
“the purposes for which information are processed, and the legal basis for each purpose.” 
This has not been provided to date. 


Although it is not clear from the information provided to our client in his SAR response, our 
client assumes that you are processing his data that has both been obtained from him and 
elsewhere. Accordingly, both Articles 13 and 14 GDPR apply to that information. Both of 
those Articles? state that a data subject must be given information about the purposes of 
processing, as well as the legal basis for the processing activities. 


Further, Article 15 GDPR provides our client with a right of access to his personal data and 


information about “the purposes of the processing.” This right under Article 15 provides a 





1 Note that the form was not straightforward to locate and was related only to our client's Google account 
2 Article 13(1)(c) and 14(1)(c) GDPR 
3 Article 15(1)(a) GDPR 
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10. 


11. 


12. 


13. 


14. 


15. 


basis for our client to obtain this information from Google. Pursuant to Article 12(1) GDPR, 
that information must be provided in a “concise, transparent, intelligible and easily accessible 


form, using clear and plain language.” 


To date, your response under Article 15 GDPR has not provided our client with any 
information about the purposes of processing his data. He is entitled to receive this 
information from you, in clear language. Any reference to your privacy policies would be 
misplaced (leaving aside the suitability of those policies, which are dealt with below) as our 
client is entitled to obtain this information from you. 


For the avoidance of doubt, this request is not manifestly unfounded or excessive, as you 
must have retained a record of your processing activities pursuant to Article 30 GDPR. 
Presumably, you will also know the lawful basis for each processing activity. Accordingly, it 
would not be difficult for you to provide that same information to our client, as you are obliged 
to under Article 15 GDPR. 


In order to comply with Article 15 GDPR, our client is entitled to the following information 


from you: 


i. The purposes of processing his data, for each data set, and for all processing 
conducted; and 
ii. |The lawful basis for all processing. 


Please provide this information within 14 days of receipt of this letter. 


Transparency 


In addition to filing his SAR, Dr Ryan has carefully considered your privacy policies in an 
attempt to establish the purpose of processing and the lawful bases. Unfortunately, that 
process has been difficult for our client owing to the deficiencies in your privacy policies. 


As a primary matter, pursuant to Article 5(2) GDPR, the burden is on Google as the data 
controller to be able to demonstrate that our client’s personal data is processed in a 
transparent manner. This includes presenting information about personal data in a manner 
consistent with Article 12(1) GDPR: that the information be presented in a “concise, 
transparent, intelligible and easily accessible form, using clear and plain language.” 
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16. The Article 29 Working Party Guidance on Transparency‘ explains the reasons for such 
transparency as follows: 


the data subject should be able to determine in advance what the scope and 
consequences of the processing entails and that they should not be taken by 
surprise at a later point about the ways in which their personal data has been used. 
This is also an important aspect of the principle of fairness under Article 5.1 of the 
GDPR and indeed is linked to Recital 39 which states that “[nJatural persons should 
be made aware of risks, rules, safeguards and rights in relation to the processing 
of personal data...” In particular, for complex, technical or unexpected data 
processing, WP29’s position is that, as well as providing the prescribed information 
under Articles 13 and 14 (dealt with later in these guidelines), controllers should 
also separately spell out in unambiguous language what the most important 
consequences of the processing will be: in other words, what kind of effect will the 
specific processing described in a privacy statement/ notice actually have on a data 
subject? 


17. In other words, a data subject should be able to understand how and why their data is being 
collected, used and processed. This includes clear information about the purposes of 
processing personal data. However, the language used in Google’s policies is insufficiently 
precise to meet your transparency requirements. The Article 29 Working Party Guidance on 
Transparency confirms that the requirements for “clear and plain language” under Article 


12(1)(a) GDPR requires information to be provided in a way that is: 


... concrete and definitive; it should not be phrased in abstract or ambivalent terms 
or leave room for different interpretations. In particular the purposes of, and legal 
basis for, processing the personal data should be clear. 


18. The Guidance then provides examples of “poor practice” that would violate the requirements 


of Article 12(1)(a) GDPR. This includes the following examples of particularly poor practice: 


e “We may use your personal data to develop new services” (as it is unclear what 


the “services” are or how the data will help develop them); and 





4 Guidelines on transparency under Regulation 2016/679 (WP260 rev.01) 
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e “We may use your personal data to offer personalised services” (as it is unclear 


what the “personalisation” entails). 


19. Despite this clear guidance from the Article 29 Working Party, regrettably Google have used 
this phraseology in their privacy policies. Using both examples from the Article 29 Working 


Party Guidance as a heading, the following examples emerge from the policies: 


a. Develop new services 


i. In Google’s operative privacy policy (the Policy)®, under the heading “Why Google 
Collects Data” (i.e. the purposes), the lede of the Policy states “We use data to build 
better services”. The substantive part of the Policy states that Google “use your 
information to make improvements to our services”. Within the link to “make 
improvements”, Google explain that you “use cookies to analyze how people interact 


with our services. And that analysis can help us build better products.” 


ii. In the Guidance on “HOW GOOGLE USES INFORMATION FROM SITES OR APPS 
THAT USE OUR SERVICES” (i.e. from third part sites), it is said that “Google uses 
the information shared by sites and apps to deliver our services, maintain and improve 
them, develop new services, measure the effectiveness of advertising, protect against 
fraud and abuse, and personalize content and ads you see on Google and on our 


partners’ sites and apps.” 


b. Offer personalised services 


i. In the Policy, a further lede states “Provide personalized services, including content 
and ads”. The substantive explanation asserts that Google “use[s] the information we 
collect to customize our services for you, including providing recommendations, 
personalized content, and customized search results.” This is overlaid with an 
information box which states “you can get more relevant search results that are based 
on your previous searches and activity from other Google services. You can learn 
more here. You may also get customized search results even when you're signed out.” 
The “learn more here” section does not provide any further information or clarity and 


is therefore fruitless in attempting to understand the processing purposes. 





5 https://policies.google.com/privacy 
6 https://policies.google.com/technologies/partner-sites ?hl=en 
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Thus, Google’s policies (including the Policy) do not provide sufficient granularity for our 
client — or anyone — to understand the purposes of processing. Indeed, the language used 
replicates the bad practices examples given by the Article 29 Working Party. In turn, the 
policies do not provide the level of granularity required to enable Dr Ryan to know the 
purposes for which his data is being processed. Leaving aside your failure to provide this 
information to Dr Ryan in response to this SAR or follow up correspondence, these policies 
fall well short of the transparency required to provide to provide meaningful information to a 
data subject. 


In addition, there are a number of policies related to the Google family of companies. The 
policies available online are broken up on seemingly arbitrary terms. There is a generic 
“Google Privacy Policy’’ but it is not said which services the generic policy relates. 
Furthermore, that generic policy also provides links to numerous other policies as “related 
privacy practices"®. Despite these numerous and seemingly bespoke policies, there is often 
an overlap between the policies, such as Chrome being referred to in the introduction of the 
generic policy but also having its own policy. This makes the policy almost impenetrable and 
far from meeting the requirements of Article 12(1)(a) GDPR. 


Furthermore, there is no information on Google’s policies that indicate the lawful basis for 
any of the stated processing activities. There are a few references to “choices” in pop up 
boxes but this is not a base under Article 6 nor does this term clarify the alternative bases 
for processing. In any event, there is no information about lawful bases provided alongside 
information on purposes, contrary to the requirements of Article 13(1)(c) and 14(1)(c). 


Considering the numerous flaws identified above, Google have not treated Dr Ryan’s data 


fairly and rather have acted in a manner contrary to Article 5(1)(a) GDPR. 

Next steps and deadline to reply 

The information presented in your privacy policy falls short of what is required to meet your 
transparency obligations. Furthermore, your response to Dr Ryan’s SAR has been 


inadequate and short of what he is entitled to. 


Accordingly, our client asks for the following information: 





7 https://policies.google.com/privacy 
8 https://policies.google.com/privacy#products 
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i. Provision of all of Dr Ryan’s personal data you are processing, presented by 
categories of data; 

ii. The specific and legitimate purposes for processing, for each category of data; and 

ili. The lawful bases for processing each category of data for each individual purpose. 


26. Weask that the information is provided in such terms as to be complaint with Article 12(1)(a) 
GDPR. In particular, it should be provided in a “concise, transparent, intelligible and easily 
accessible form”. That information should be presented using “clear and plain language’, 
such that the information is presented in a terms that are “concrete and definitive; it should 


not be phrased in abstract or ambivalent terms”. 

27. Please provide your response within 14 days of the date of receipt of this letter (by 10 
January 2020). Should you not be able to meet that deadline, please explain so within 14 
days and provide your reasons for the failure to meet this deadline, as well as a clear 
timeframe by which you will provide a substantive response. Our client’s rights are reserved 
in the meantime. 


We look forward to hearing from you. 


Yours faithfully 


Irvine Thanvi Natas Solicitors 
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Subject: RE: Dr Johnny Ryan (Our ref: RAN/34314) 
Date: Friday, 10 January 2020 at 21:05:03 Greenwich Mean Time 
From: data-protection-office@google.com 


To: ravi@hayesnaikkind.com 


Your ref: RAN/34314 


Dear Sirs 


We refer to your emails of 27 December 2019 and 9 January 2020. We are working on our response which we will 
provide to you as soon as possible. In the event we are not in a position to respond by the 16 January 2020 we 
will notify you in advance of that date. 


Regards, 
Google 


On Thu, Jan 09, 2020 at 11:27 UTC "Ravi Naik" <rnaik@itnsolicitors.com> wrote: 


Dear Sir / Madam 


We write further to our letter of 27 December 2019. A copy of that letter is enclosed for ease of reference. 


Our client had sought your response by tomorrow, 10 January 2020. We trust you are working to meet that 
deadline. 


Please note however that | will be leaving ITN Solicitors tomorrow (10 January 2020). | will however continue 
to represent Dr Ryan from a new firm, HNK Litigation. | enclose an authority to act for Dr Ryan for HNK 
Litigation. | have also copied this email to my address at the new firm: ravi@hayesnaikkind.com. Please 
ensure any further correspondence or responses are copied to that address, as this ITN email address will no 
long be active after 10 January. 


| have copied this email to my new address for completeness. 


Yours sincerely 


Ravi Naik 
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Subject: Re: Dr Johnny Ryan (Our ref: RAN/34314) 

Date: Friday, 17 January 2020 at 14:00:41 Greenwich Mean Time 
From: Ravi Naik 

To: data-protection-office@google.com 

BCC: Johnny Ryan 


Dear Sir / Madam 


We write further to your email of 10 January 2020, as below. Despite setting your own arbitrary deadline to reply 
of 16 January 2020, that deadline has passed without any further response from you. 


You will recall that our client filed his subject access request on 7 October 2019. On 27 December 2019, we 
wrote to you about your failure to adequately respond to that request. Our client now finds himself 102 days 
later without an adequate reply. Even allowing for the longstop envisaged under Article 12(3) of the GDPR, you 
are in breach of the requirements of Articles 12 and 15 of the GDPR. 


Can you please therefore confirm when you intend to serve your response? If you do not intend to provide a 
further reply, please explain why not. 


Our client requests your full and substantive reply by no later than 20 January 2020. In the event that you do not 
comply with our client’s request by that date, out client reserves his right to take further action to enforce his 
rights without recourse to you. 


Yours sincerely 


Ravi Naik 


Ravi Naik 
Director | HNK Litigation 


Tel: 07966143682 


This email (including attachments) is confidential and may be privileged. If you have received this email in error, please notify HNK Litigation 
immediately. You may not copy, forward, disclose or otherwise use any part of it. It is the responsibility of the recipient to ensure that this email is 
virus free and no responsibility is accepted by HNK Litigation for any loss or damage arising in any way from receipt or use of it. Emails are 
susceptible to interference. The contents of this email may not have originated from HNK Litigation, or be accurately reproduced. If verification is 
required, please request a hard-copy version. 


From: "data-protection-office@google.com" <data-protection-office@google.com> 
Date: Friday, 10 January 2020 at 21:05 

To: "ravi@hayesnaikkind.com" <ravi@hayesnaikkind.com> 

Subject: RE: Dr Johnny Ryan (Our ref: RAN/34314) 


Your ref: RAN/34314 


Dear Sirs 


We refer to your emails of 27 December 2019 and 9 January 2020. We are working on our response which we will 
provide to you as soon as possible. In the event we are not in a position to respond by the 16 January 2020 we 
will notify you in advance of that date. 
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Subject: Re: Dr Johnny Ryan (Our ref: RAN/34314) 

Date: Monday, 20 January 2020 at 21:19:55 Greenwich Mean Time 
From: data-protection-office@google.com 

To: Ravi Naik 


Dear Sirs 


We refer to our email of January 10th 2020. As a preliminary point please note that we do not agree with your 
assertions regarding the alleged inadequacy of the Google privacy policy and Google privacy practices generally, 
and reserve our position accordingly. 


Regarding your request for details of the purposes and associated legal bases of processing the Google Privacy 
Policy outlines different processing purposes pursued by Google and associated legal bases that legitimise those 
processing purposes. For example in the section “Why Google collects data” users can find information on the 
purposes of processing. The section “European requirements” details information on the legal grounds. 


Google adopts a layered approach to transparency. This means that in addition to the Privacy Policy, Google 
provides a Google Account dashboard from where users can manage privacy preferences and displays contextual 
pop-up notices which provide information to users at the most appropriate time when they interact with the 
services. 


Depending on the products users use, there may be additional settings available via the user interface of the 
specific products. The overview section of our Privacy Policy contains a Google Product Privacy Guide 
(https://www.google.com/policies/technologies/product-privacy/), which provides users with an easily accessible 
resource for product-specific privacy information, controls and settings for many of Google’s core consumer 
products, including Gmail, Google Search, Chrome, Google Maps, YouTube, Android, Google, Google Play and 
others. 


In respect of your request for the “provision of all of Dr Ryan’s personal data you are processing, presented by 
categories of data”, we note your comment that Dr Ryan used the Download Your Data tool in October 2019 to 
access personal data processed by Google. If Dr Ryan is seeking to capture personal data generated since the 
date he last used the Download Your Data tool Dr Ryan can use that tool again. Facilitating data subjects remote 
access to their personal data is consistent with the recommendation under Recital 63 of the GDPR, that “/w/here 
possible, the controller should be able to provide remote access to a secure system which would provide the data 
subject with direct access to his or her personal data.” 


If there is any further personal data Dr Ryan requires that he can’t find via our tools, please advise him to submit 
a request for such further information using this web-form via the Privacy Help Center 
(https://support.google.com/policies/troubleshooter/2990837 ?hl=en&rd=2) (accessible via the “Contact Us” link 
in our Privacy Policy). Users must log-in to submit requests via this web-form, which will help us to verify their 
identity, and ensure we only disclose personal information directly to the appropriate data subject. 


Regards 


Google 


On Fri, Jan 17, 2020 at 14:00 UTC "Ravi Naik" <ravi@hayesnaikkind.com> wrote: 


Dear Sir / Madam 


We write further to your email of 10 January 2020, as below. Despite setting your own arbitrary deadline to 
reply of 16 January 2020, that deadline has passed without any further response from you. 


B012 


Subject: Fwd: [0-5331000028912] 

Date: Monday, 20 January 2020 at 19:49:55 Greenwich Mean Time 
From: Johnny RYAN 

To: Johnny Ryan, Ravi Naik 


---------- Forwarded message --------- 

From: <data-access-requests@google.com> 
Date: Mon 20 Jan 2020 at 16:44 

Subject: [0-5331000028912] 

To: <johnnyryan1@gmail.com> 








Hello, 
Thank you for contacting us. 


As mentioned in our previous response the Google Privacy Policy outlines different processing purposes pursued 
by Google and associated legal bases that legitimise those processing purposes. For example in the section “Why 
Google collects data” you can find information on the purposes of processing. The section “European 
requirements” details information on the legal grounds. 


Google adopts a layered approach to transparency. In addition to the Privacy Policy, Google provides a Google 
Account dashboard from where you can manage your privacy preferences and displays contextual notices which 
provide information to users at the most appropriate time when users interact with the services. 


Depending on the products you use, there may be additional settings available via the user interface of the 
specific products. The overview section of our Privacy Policy contains a Google Product Privacy Guide 
(https://www.google.com/policies/technologies/product-privacy/), which provides users with an easily accessible 
resource for product-specific privacy information, controls and settings for many of Google’s core consumer 
products, including Gmail, Google Search, Chrome, Google Maps, YouTube, Android, Google Play and others. 


As users can utilise a variety of Google services, the processing purposes pursued and the related legal bases will 
vary by reference to the Google services associated with your account and your user settings. Given the large 
number of Google services associated with your account (an overview of which is available in your Google 
Account dashboard) please specify those services which you are referring to. 


If you need to contact us in the future, send your replies to data-access-requests@google.com and make sure to 
include your reference number. Alternatively you can reply to this email. 


Please confirm you are happy for us to share future correspondence with ravi@hayesnaikkind.com who has 
asserted is instructed by you. 


Regards, 
Google 
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Mon, Dec 16, 2019, 11:31 AM 
johnnyryani@gmail.com 

Contact Us Form 

Email address 

johnnyryan1@gmail.com 

Please select your country of residence 

Ireland 

About which Google product are you inquiring? 
Other 

What personal data are you seeking? 

| have downloaded my data from Google's tool, but this does not tell me what you do with the data, or who you 
let access it. 


Looking at the GDPR, Article 15 says | have the right to know the purposes for which information are processed, 
and the legal basis for each purpose. 
Please send this information. This request concerns all Google services. 


| have already made this request to Google on 15 October 2019, your reference 7-2423000028191. The 30 days 
allowed for response have elapsed long ago. Therefore | ask for your reply within 7 days of today, 16 December 
2019. 


Dr Johnny Ryan FRHistS 


Praise for 'A History of the Internet and the Digital Future' 

"Consider this book your road map" -Marc Benioff (CEO of Salesforce - 
Forbes' most innovative company in the world 2013) 

"An immensely important book" -Kevin O'Sullivan (Editor of The Irish Times) 
"Engrossing" -Cory Doctorow (BoingBoing) 

"Enormously useful" -Prof Tim Wu (Columbia Law School) 
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HNK LITIGATION 


2 John Street 
London 
WC1N 2ES 


Data Protection Office 
Google 


By email: data-protection-office@google.com 28 January 2020 


Our ref: RAN/OOO09-Ryan 


LETTER BEFORE CLAIM 
Dear Sir / Madam 
Johnny Ryan — Subject access request 


1. We write further to our correspondence relating to Dr Ryan’s subject access request, 
as made to Google on 7 October 2019. Google have failed to: 


i. adequately respond to that request from our client; and 
ii. failed to provide our client with information relating to the collection of his data. 


2. We are accordingly instructed to request that you provide a full and adequate 
response to that subject access request and the further information to which our 


client is entitled. Full details of our client’s requests are set out below. 


3. Please note that, in the absence of a satisfactory resolution of the issues raised in 
this letter, it is our client’s intention to seek resolution of his subject access request 
through either issuing legal proceedings and / or a complaint before the Data 
Protection Commissioner (DPC). We trust that you agree that such a course would 
be regrettable and that you will instead provide our client with the remedies he has 
set out herein, which would avoid any further costs and time to either party. 


HNK Litigation | SRA number: 666285 
B015 


Please provide your response to this letter within 14 days of receipt. If we do not 
hear from you by 11 February 2020, our client may issue proceedings and / or 


complain to the DPC without further recourse to you. 


The proposed Claimant 


Should further action become necessary, the proposed Claimant / Complainant 
would be Dr Johnny Ryan, who can be contacted at this office: 


HNK Litigation 
2 John Street 
London 
WC1N 2ES 


You already have a copy of our client's authority form. Note that the authority form 
provides for our firm to receive disclosure of any relevant information or 


documentation requested in this letter before claim. 


Proposed Defendant 


Should the commencement of proceedings become necessary, we consider the 
proposed Defendant / Respondent in this matter to be Google Ireland, Gordon 
House, Barrow Street, Dublin, D04 E5W5, Dublin (Company number: 368047). 
Please confirm if these details are correct and whether any additional party should 
be named as a Defendant. 


The Claimant’s legal advisers 
This case is being dealt with by Ravi Naik, a Director of this firm. Mr Naik can be 
contacted at the address set out above. The reference number for this case is 


RAN/00009-Ryan. Please ensure you use this reference number for all future 


correspondence on this matter. 
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Background 


Our client initially completed your online “download my data” tool on 7 October 2019, 
which is said by Google to provide a full and complete response to a subject access 


request. 


Following that SAR, Dr Ryan wrote to Google on 15 October 2019 via your online 
contact form’ to address the shortcomings in the subject access request response 
he received. Dr Ryan requested “the purposes for which information are processed, 
and the legal basis for each purpose”, information to which he is entitled under Article 
15 of the General Data Protection Regulation. In that contact form, Dr Ryan noted at 


the time that he had already used the “download my data” tool. 


On 14 November 2019, the “data protection office” of Google wrote to our client 
providing generic information about how to use the “download my data” tool and how 
to use his Google account. No information about purposes or lawful bases was 
provided to our client. On 16 December 2019, our client filled in the “Data Access 
Request Form”, requesting to know the purposes of processing his data and the 


lawful basis for each purpose. 


On 27 December 2019, our client wrote to you about the continuing failure to provide 
him with the information to which he was entitled. In particular, our client outlined 
information to which he is entitled, and which remained missing from your responses 
to date. That letter was from our client’s previous representatives, Irvine Thanvi 


Natas Solicitors. Our client sought your substantive reply by 10 January 2020. 


On 10 January 2020, you replied stating that you required more time to provide a 
substantive response, stating “In the event we are not in a position to respond by the 
16 January 2020 we will notify you in advance of that date.” You did not reply by 16 
January 2020. 





1 Note that the form was not straightforward to locate and was related only to our client’s Google account 
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On 17 January 2020, our client wrote to you via this firm to request clarification of 
when you may provide the information to our client. On 20 January 2020, you replied 
to our clientť’s letter of 27 December 2019. You did not provide any further information 
to our client as requested. Rather, you referred our client to a series of links on your 
website, including reference to your privacy policies. You further suggested that our 


client complete the “download your data” tool again. 


Our client remains without substantive responses to the information he has sought 


from you four months ago. 


Grounds 


The information sought by our client was his personal data and he sought your 
clarification of the processing of his personal data. As such, the General Data 
Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”) apply to 
the processing of that information. Google are a “data controller” and our client is a 


“data subject” under those regulations. 


As the controller of our clients data, Google has not complied with the GDPR as 
you: (i) have not satisfied the requirements for information to be provided where 
personal data is collected relating to our client; (ii) have not complied with our client’s 
subject access request; and (iii) have failed to demonstrate compliance with the 
principles of processing, contrary to the accountability principle. We address each 


violation in turn. 


i. Transparency and information to be provided on collection of data 


Articles 13 and 14 of the GDPR oblige data controllers to provide information to data 
subjects when collecting their data. Article 13 relates to information collected directly 
from the data subject, with Article 14 relating to personal data that have not been 
obtained from the data subject. Thus, whenever data is collected about a data 


subject, that data subject must be informed regardless of the source. 
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19. Further, pursuant to Articles 13(1)(c) and 14(1)(c) of the GDPR, a controller must 


20. 


21. 


provide a data subject with “the purposes of the processing for which the personal 
data are intended as well as the legal basis for the processing”. Thus, the purposes 
for processing personal data and related legal basis must be provided to our client, 
whether his personal data is collected directly from him or any other source. 


These requirements are augmented by the requirements of Article 12(1) of the 
GDPR, which requires any information provided to a data subject to be presented in 
a “concise, transparent, intelligible and easily accessible form, using clear and plain 
language.” The Article 29 Working Party Guidance on Transparency? explains the 


requirements of transparency as follows: 


the data subject should be able to determine in advance what the scope and 
consequences of the processing entails and that they should not be taken 
by surprise at a later point about the ways in which their personal data has 
been used. This is also an important aspect of the principle of fairness under 
Article 5.1 of the GDPR and indeed is linked to Recital 39 which states that 
“[InJatural persons should be made aware of risks, rules, safeguards and 
rights in relation to the processing of personal data...” In particular, for 
complex, technical or unexpected data processing, WP29’s position is that, 
as well as providing the prescribed information under Articles 13 and 14 
(dealt with later in these guidelines), controllers should also separately spell 
out in unambiguous language what the most important consequences of the 
processing will be: in other words, what kind of effect will the specific 
processing described in a privacy statement/ notice actually have on a data 
subject? 


Taken together, Article 12, 13 and 14 of the GDPR require that a data subject should 
be able to understand how and why their data is being collected, used and 
processed. Google have failed to comply with these requirements to date. 





2 Guidelines on transparency under Regulation 2016/679 (WP260 rev.01) 
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22. 


23. 


Our client has sought clarification of the purposes of processing and legal basis for 
each purpose, including his letter of 27 December 2019. In your email of 20 January 


2020, you responded to those requests stating (sic): 


Regarding your request for details of the purposes and associated legal 
bases of processing the Google Privacy Policy outlines different processing 
purposes pursued by Google and associated legal bases that legitimise 
those processing purposes. For example in the section “Why Google 
collects data” users can find information on the purposes of processing. The 


section “European requirements” details information on the legal grounds. 


Your response thus pointed our client back to your Privacy Policy (herein referred to 
as “the Policy”). However, as detailed in our letter of 27 December 2019, that Policy 
is inadequate to satisfy the requirements of Articles 12(1), 13 and 14 of the GDPR. 


We set out the basis for those deficiencies in turn: 


a. Policy is incomplete: The Policy (and the “why Google collects data” page) is 
limited to examples of purposes only. For instance, in the “develop new services” 
section of the Policy, you state 


“We use the information we collect in existing services to help us develop 
new ones. For example, understanding how people organized their photos 
in Picasa, Google’s first photos app, helped us design and launch Google 
Photos.” 


No further information is provided. 


To take another instance (of which there are numerous), in the “Provide 
personalized services, including content and ads” section you state that you “may 
also show you personalized ads based on your interests.” The term “personalized 
ads” links to a further page, entitled “Why you're seeing an ad”. No further 


information concerning the purposes of processing are provided on that page. 
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As these examples show, the Policy does not provide all the purposes of 
processing being undertaken by Google. At best, you give only indicative 
examples of the categories of processing being undertaken, rather than providing 
granular detail of each specific purpose of processing being undertaken. As the 
Policy is expressed in indicative terms only, there are further purposes that have 
not been disclosed. This alone renders the Policy incompatible with Articles 12, 
13 and 14 of the GDPR. 


. Policy is not transparent: Further, the information provided in the Policy is 
insufficiently precise to provide meaningful transparency as required under 
Article 12(1)(a) of the GDPR. Our client outlined those deficiencies in his letter of 
27 December 2019, which need not be rehearsed herein. In particular, our client 
drew on the Article 29 Working Party guidance on transparency to demonstrate 
that: 


“Google’s policies (including the Policy) do not provide sufficient granularity 
for our client — or anyone — to understand the purposes of processing. 
Indeed, the language used [by Google] replicates the bad practices 
examples given by the Article 29 Working Party. In turn, the policies do not 
provide the level of granularity required to enable Dr Ryan to know the 
purposes for which his data is being processed.” 


You have not replied to those submissions. Instead, you stated that “do not agree 
with your assertions regarding the alleged inadequacy of the Google privacy 
policy and Google privacy practices generally” yet provided no reasons for that 


assertion. 


You then referred our client back to your Policy, despite our client's letter of 27 
December 2019 which showed that Policy to be inadequate. We have enclosed 
a copy of our client's letter of 27 December 2019 for your ease of reference. That 
letter made clear that you had not satisfied the transparency requirements of the 
GDPR. You have not provided an adequate response to the matters raised in 
that letter and we request you to properly engage with that letter in your reply to 


this correspondence. 


B021 


c. Failure to provide lawful bases: You have not provided lawful bases for each 
processing activity, to which our client is entitled under Articles 13 and 14 of the 
GDPR. Instead, in your email of 20 January 2020, you referred to the “European 
requirements” section of your website. That section of the Policy provides generic 
information about the lawful bases, rather than providing legal bases for specific 
purposes of processing. Indeed, on its own terms it is insufficient to explain the 
lawful basis for each purpose as the legal bases are provided on indicative terms 


only. 


For instance, legitimate interests? are cited as a legal basis for processing “things 
like”, with some examples then provided. Our client cannot — nor anyone looking 
at the Policy — fathom the purposes to which legitimate interests relate. In turn, 
he is unable to exercise his rights under the GDPR in full as he cannot appreciate 
the exact processing activities to which each lawful basis applies. He cannot 


therefore know how to object under Article 21(1) or seek erasure under Article 


17(1)(c). 


In summary, the Policy does not provide granularity of either the purpose of 
processing or the related legal basis for processing. As a result, a data subject 
cannot know which lawful basis applies to which processing activity and purpose. 
This is inappropriate and falls well below the Article 29 Working Party 


requirements for transparency. 


d. Aggregating policies: There are a number of policies related to the Google 
family of companies. The policies available online are broken up on seemingly 
arbitrary terms. There is a generic “Google Privacy Policy” but it is not said which 
services the generic policy relates. Furthermore, that generic policy also provides 


links to numerous other policies as “related privacy practices". 





3 Presumably under Article 6(1)(f) but this is not specified 
4 https://policies.google.com/privacy 
5 https://policies.google.com/privacy#products 
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24. 


25. 


26. 


27. 


28. 


Despite these numerous and seemingly bespoke policies, there is often an 
overlap between the policies, such as Chrome being referred to in the 
introduction of the Policy but also having its own policy. This makes the policy 
almost impenetrable and far from meeting the requirements of Article 12(1)(a) 
GDPR. 


Accordingly, Google’s Policies do not comply with the basic requirements of Articles 
12, 13 and 14 of the GDPR. This is exemplified by the lack of information provided 


to our client following his subject access request. 


ii. Subject access request 


Pursuant to Article 15(1) of the GDPR, our client is entitled to “obtain from the 
controller confirmation as to whether or not personal data concerning him or her are 
being processed”. Where personal data is being processed, our client is also entitled 
to know “the purposes of the processing”, under Article 15(1)(a) of the GDPR. 


Our client has sought clarity from Google about the specific purposes of the 
collection and processing of his data, including through his letter of 27 December 
2019. Your response has been to continuously refer our client back to the Policy 
rather than engage with his requests. However, that Policy does not provide for all 
the purposes of processing of his personal data specifically. Rather, as dealt with 
above, the information provided is vague, incomplete and does not specify all 
processing purposes. Further, the information in the Policy does not relate to our 
client’s specific data. 


We note your reference to the “download your data” tool. However, that tool does 
not provide for any purposes of processing. As such, the purposes of processing our 
client’s data have not been provided to him and are not available from the Policy or 
the tool. 


In summary, our client is entitled to know each purpose for which his personal data 
is collected and processed. You have not provided that information to our client and 
the references and links you have provided do not provide that information. 


9 
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29. 


30. 


31. 


32. 


33. 


Accordingly, you have not complied with Article 15 of the GDPR and Article 15(1)(a) 


in particular. 


We further note that you have taken longer than the permitted time under Article 
12(3) of the GDPR. That Article requires a subject access request to satisfied 
“without undue delay and in any event within one month of receipt of the request.” 
That time period can be extended by 2 months “taking into account the complexity 
and number of the requests.” In this case, our client filed his subject access request 
on 7 October 2019. That SAR remains unsatisfied, some 112 days after the first 
request. Even allowing for the longstop, Google have breached Article 12(3). 


iii. Breach of accountability principle 


Article 5(2) of the GDPR requires a data controller to be able to “demonstrate 
compliance with” the principles relating to the processing of personal data. At 
present, Google cannot demonstrate that they are processing our client’s data fairly 
or in a transparent manner contrary to Article 5(1)(a) of the GDPR. In particular, 
refusing to explain the purposes of processing our client's data, despite his 


numerous and clear requests for the same, is not transparent nor fair. 


Further, you cannot demonstrate compliance with the purpose limitation principle 
contained in Article 5(1)(b) of the GDPR as you are not transparent with the purposes 
for which you process data. As detailed above, the purposes contained in the Policy 
are indicative only and incomplete. Accordingly, you cannot demonstrate compliance 
with the purpose limitation principle as you do not have a transparent and open list 


of purposes available. 


Thus, Google cannot demonstrate compliance with either Article 5(1)(a) or 5(1)(b) of 
the GDPR, in breach of Article 5(2). 


The details of the action that the Defendants are expected to take 


Considering the matters raised above, our client requests Google to take the 


following steps: 
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34. 


35. 


1. Please provide a detailed list of all purposes of processing of our client’s data. 
To be clear, our client requires confirmation of all processing purposes, whether 
at the point of collection or subsequent collection, or whether from our client or 
a third party. The Policy is not sufficient to meet these requirements, as detailed 
above. Our client requests this information in “a concise, transparent, intelligible 
and easily accessible form, using clear and plain language” pursuant to Article 
12(1) of the GDPR. We would suggest that you provide this information in 
tabular form, in either an Excel or CVS spreadsheet. 


2. Provide the legal basis for each processing activity, by reference to each 
specified purpose. We suggest that the lawful basis is included in a separate 
column in the purposes spreadsheet, to ensure consistency with the Article 


12(1) requirements. 


3. Provide our client with a full, complete and up to date subject access request 
response. Referencing the download your data tool has been shown to be 
inadequate to date, as it has not met the requirements of Article 15 of the GDPR. 


Our client is entitled to this information at a minimum. If you refute that our client is 
entitled to this information, please provide your detailed reasons for that refusal with 
specific reference to the legal reasoning for your position. We note that you had 
reserved your position in your email of 20 January 2020. It is not appropriate to 
continue to reserve your position. If you have a basis to refuse our client's requests, 
you should make that basis clear and explicit so that our client can understand and 


appreciate the reasons for your continued non-compliance. 

Address for Reply 

The address for the letter of reply, as well as the service of any documents, is HNK 
Litigation, 2 John Street, WC1N 2ES. We do not accept formal service of documents 


by email but are content to accept routine correspondence by email, including your 


letter of reply. 
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H. Date for reply 

36. Please provide your reply to this letter within 14 days. Given the inordinate delay in 
complying with our clients subject access request, 14 days is a generous timeframe 
for you to provide the remedies our client has sought. We accordingly look forward 
to receiving your full and substantive response by 11 February 2020. 

37. To be clear and to avoid further doubt, our client will rely on this correspondence in 
any further action he may be required to take to enforce his rights. However, we trust 
that such further action will not be necessary, and you will instead comply with his 
requests in full. 


We look forward to hearing from you. 


Yours faithfully 


HNK Litigation 
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Subject: Your reference RAN/O0009-Ryan 

Date: Tuesday, 11 February 2020 at 22:46:01 Greenwich Mean Time 
From: data-protection-office@google.com 

To: Ravi Naik 


Dear Sirs, 
We refer to your correspondence of 28 January 2020. 


As a preliminary point please note that we do not agree with your assertions regarding the alleged inadequacy of 
the Google privacy policy and Google privacy practices generally, and reserve our position accordingly. 


In your correspondence of 28 January 2020, you requested on behalf of your client, information regarding the 
purposes for which Google processes your client’s data, the legal basis for such processing as well as a subject 
access request response. These requests for information were made with reference to previous requests for 
information made through a Google account. We note your request to be provided with that information directly. 
However, please note that we are unable to verify the identity of a data subject in relation to a Google account 
outside of the relevant account (Articles 11(2) and 12(2) GDPR). Accordingly, we have provided additional 
information in response to the previous requests you referred to directly to the owner of that account by sending 
an email to that account. 


Yours faithfully, 


Google 


On Mon, Jan 20, 2020 at 21:19 UTC data-protection-office@google.com wrote: 


Dear Sirs 


We refer to our email of January 10th 2020. As a preliminary point please note that we do not agree with your 
assertions regarding the alleged inadequacy of the Google privacy policy and Google privacy practices 
generally, and reserve our position accordingly. 


Regarding your request for details of the purposes and associated legal bases of processing the Google Privacy 
Policy outlines different processing purposes pursued by Google and associated legal bases that legitimise 
those processing purposes. For example in the section “Why Google collects data” users can find information 
on the purposes of processing. The section “European requirements” details information on the legal grounds. 





Google adopts a layered approach to transparency. This means that in addition to the Privacy Policy, Google 
provides a Google Account dashboard from where users can manage privacy preferences and displays 
contextual pop-up notices which provide information to users at the most appropriate time when they interact 
with the services. 








Depending on the products users use, there may be additional settings available via the user interface of the 
specific products. The overview section of our Privacy Policy contains a Google Product Privacy Guide 





accessible resource for product-specific privacy information, controls and settings for many of Google’s core 
consumer products, including Gmail, Google Search, Chrome, Google Maps, YouTube, Android, Google, Google 
Play and others. 


In respect of your request for the “provision of all of Dr Ryan’s personal data you are processing, presented by 
categories of data”, we note your comment that Dr Ryan used the Download Your Data tool in October 2019 to 
access personal data processed by Google. If Dr Ryan is seeking to capture personal data generated since the 
date he last used the Download Your Data tool Dr Ryan can use that tool again. Facilitating data subjects 
remote access to their personal data is consistent with the recommendation under Recital 63 of the GDPR, that 
“[w]here possible, the controller should be able to provide remote access to a secure system which would 
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provide the data subject with direct access to his or her personal data.” 


If there is any further personal data Dr Ryan requires that he can’t find via our tools, please advise him to 
submit a request for such further information using this web-form via the Privacy Help Center 

link in our Privacy Policy). Users must log-in to submit requests via this web-form, which will help us to verify 
their identity, and ensure we only disclose personal information directly to the appropriate data subject. 





Regards 


Google 


On Fri, Jan 17, 2020 at 14:00 UTC "Ravi Naik" <ravi@hayesnaikkind.com> wrote: 


Dear Sir / Madam 


We write further to your email of 10 January 2020, as below. Despite setting your own arbitrary deadline to 
reply of 16 January 2020, that deadline has passed without any further response from you. 


You will recall that our client filed his subject access request on 7 October 2019. On 27 December 2019, we 
wrote to you about your failure to adequately respond to that request. Our client now finds himself 102 days 
later without an adequate reply. Even allowing for the longstop envisaged under Article 12(3) of the GDPR, 
you are in breach of the requirements of Articles 12 and 15 of the GDPR. 


Can you please therefore confirm when you intend to serve your response? If you do not intend to provide 
a further reply, please explain why not. 


Our client requests your full and substantive reply by no later than 20 January 2020. In the event that you 
do not comply with our client's request by that date, out client reserves his right to take further action to 
enforce his rights without recourse to you. 


Yours sincerely 


Ravi Naik 


Ravi Naik 
Director | HNK Litigation 


Tel: 07966143682 


B028 


This email (including attachments) is confidential and may be privileged. If you have received this email in error, please notify HNK 
Litigation immediately. You may not copy, forward, disclose or otherwise use any part of it. It is the responsibility of the recipient to ensure 
that this email is virus free and no responsibility is accepted by HNK Litigation for any loss or damage arising in any way from receipt or use 
of it. Emails are susceptible to interference. The contents of this email may not have originated from HNK Litigation, or be accurately 
reproduced. If verification is required, please request a hard-copy version. 


From: "data-protection-office@ google.com" <data-protection-office@google.com> 
Date: Friday, 10 January 2020 at 21:05 

To: "ravi@hayesnaikkind.com" <ravi@hayesnaikkind.com> 

Subject: RE: Dr Johnny Ryan (Our ref: RAN/34314) 


Your ref: RAN/34314 


Dear Sirs 


We refer to your emails of 27 December 2019 and 9 January 2020. We are working on our response which 
we will provide to you as soon as possible. In the event we are not in a position to respond by the 16 January 
2020 we will notify you in advance of that date. 


Regards, 
Google 


On Thu, Jan 09, 2020 at 11:27 UTC "Ravi Naik" <rnaik@itnsolicitors.com> wrote: 


Dear Sir / Madam 


We write further to our letter of 27 December 2019. A copy of that letter is enclosed for ease of 
reference. 


Our client had sought your response by tomorrow, 10 January 2020. We trust you are working to meet 
that deadline. 


Please note however that | will be leaving ITN Solicitors tomorrow (10 January 2020). | will however 
continue to represent Dr Ryan from a new firm, HNK Litigation. | enclose an authority to act for Dr Ryan 
for HNK Litigation. | have also copied this email to my address at the new firm: ravi@hayesnaikkind.com. 
Please ensure any further correspondence or responses are copied to that address, as this ITN email 
address will no long be active after 10 January. 


| have copied this email to my new address for completeness. 


Yours sincerely 
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Subject: Fwd: [0-5331000028912] 


Date: 
From: 
To: 


Tuesday, 11 February 2020 at 23:09:32 Greenwich Mean Time 
Johnny Ryan 
Ravi Naik, Johnny Ryan 


Dr Johnny Ryan FRHistS 


Praise for 'A History of the Internet and the Digital Future' 
"Consider this book your road map" -Marc Benioff (CEO of Salesforce - 


Forbes 


"most innovative company in the world 2013) 


"An immensely important book" -Kevin O'Sullivan (Editor of The Irish Times) 
"Engrossing" -Cory Doctorow (BoingBoing) 
"Enormously useful" -Prof Tim Wu (Columbia Law School) 


Begin forwarded message: 


From: data-access-requests@google.com 
Date: 11 February 2020 at 22:54:40 GMT 
To: johnnyryan1@gmail.com 

Subject: Re: [0-5331000028912] 


Hello, 


We received correspondence from Mr. Ravi Naik, from HNK Litigation, London 

(ravi@ hayesnaikkind.com) referring to previous correspondence you had with us in this matter 
through this account. Mr. Naik states that he acts on behalf of his client Johnny Ryan and requests 
information of the purposes for which Google processes his client’s data, the legal basis for such 
processing as well as a subject access request response. Please note that we are not in a position to 
verify the identity of a data subject in relation to a Google account outside of the relevant account 
(see Articles 11(2) and 12(2) GDPR). Accordingly, we are providing additional information in 
response to Mr. Naik’s request directly to you as the owner of the account. Please inform us in case 
Mr. Naik has not been instructed by you to request information related to this account. 


We note your comment that you previously used the download your data tool to download copies 
of data for certain services. Mr. Naik has requested that we provide related information in addition 
to the data received through that tool. 


Legal Bases 


Regarding the request for the legal bases associated with the processing purposes in the context of 
those Google services, you can find information on the legal grounds relied upon to legitimize 
processing in the section “European requirements” of the Google Privacy Policy. This information is 
provided in line with Art. 13 and 14 GDPR. Please note Article 15(1) of the GDPR does not require a 
controller to detail those legal bases. 


Processing Purposes 


The purposes for which data may be processed in the context of those Google services include the 
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purposes detailed in the Appendix. All of the processing purposes are detailed in the Google 
Privacy Policy. 


Relying on the Google Privacy Policy to detail the processing purposes in response to an Article 15 
request is the most appropriate way to provide such details in line with the requirements of Art 
12(1) GDPR, particularly the requirements to provide such information in a concise and easily 
accessible form, given that a Google account can be used by any user to use any combination of all 
of the varied services available through that account, all of which are interactive and are used 
differently and with different settings and through different surfaces by each user from time to 
time over the lifespan of an account. 


Regards 


Google 


Appendix 


Provide our services - We use your information to deliver our services, like processing the terms 
you search for in order to return results or helping you share content by suggesting recipients from 
your contacts. 


Maintain & improve our services - We use your information to ensure our services are working as 
intended, such as tracking outages or troubleshooting issues that you report to us. And we use 
your information to make improvements to our services — for example, understanding which 
search terms are most frequently misspelled helps us improve spell-check features used across our 
services. 


Develop new services - We use the information we collect in existing services to help us develop 
new ones. For example, understanding how people organized their photos in Picasa, Google’s first 
photos app, helped us design and launch Google Photos. 


Provide personalized services, including content and ads - We use the information we collect to 
customize our services for you, including providing recommendations, personalized content, and 
customized search results. For example, Security Checkup provides security tips adapted to how 
you use Google products. And Google Play uses information like apps you’ve already installed and 
videos you’ve watched on YouTube to suggest new apps you might like. 


Depending on your settings, we may also show you personalized ads based on your interests. For 
example, if you search for “mountain bikes,” you may see an ad for sports equipment when you’re 
browsing a site that shows ads served by Google. You can control what information we use to show 
you ads by visiting your ad settings. 


Measure performance - We use data for analytics and measurement to understand how our 
services are used. For example, we analyze data about your visits to our sites to do things like 
optimize product design. And we also use data about the ads you interact with to help advertisers 
understand the performance of their ad campaigns. We use a variety of tools to do this, including 
Google Analytics. When you visit sites that use Google Analytics, Google and a Google Analytics 
customer may link information about your activity from that site with activity from other sites that 
use our ad services. 


Communicate with you - We use information we collect, like your email address, to interact with 
you directly. For example, we may send you a notification if we detect suspicious activity, like an 
attempt to sign in to your Google Account from an unusual location. Or we may let you know about 
upcoming changes or improvements to our services. And if you contact Google, we’ll keep a record 
of your request in order to help solve any issues you might be facing. 


Protect Google, our users, and the public - We use information to help improve the safety and 
reliability of our services. This includes detecting, preventing, and responding to fraud, abuse, 
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security risks, and technical issues that could harm Google, our users, or the public. 


On Mon, Jan 20, 2020 at 16:44 UTC data-access-requests@ google.com wrote: 
Hello, 


Thank you for contacting us. 





As mentioned in our previous response the Google Privacy Policy outlines different processing 
purposes pursued by Google and associated legal bases that legitimise those processing 
purposes. For example in the section “Why Google collects data” you can find information on the 
purposes of processing. The section “European requirements” details information on the legal 
grounds. 





Google adopts a layered approach to transparency. In addition to the Privacy Policy, Google 
provides a Google Account dashboard from where you can manage your privacy preferences and 
displays contextual notices which provide information to users at the most appropriate time 
when users interact with the services. 





Depending on the products you use, there may be additional settings available via the user 
interface of the specific products. The overview section of our Privacy Policy contains a Google 
provides users with an easily accessible resource for product-specific privacy information, 
controls and settings for many of Google’s core consumer products, including Gmail, Google 
Search, Chrome, Google Maps, YouTube, Android, Google Play and others. 


As users can utilise a variety of Google services, the processing purposes pursued and the related 
legal bases will vary by reference to the Google services associated with your account and your 
user settings. Given the large number of Google services associated with your account (an 
overview of which is available in your Google Account dashboard) please specify those services 
which you are referring to. 





If you need to contact us in the future, send your replies to data-access-requests@google.com 
and make sure to include your reference number. Alternatively you can reply to this email. 


Please confirm you are happy for us to share future correspondence with 
ravi@hayesnaikkind.com who has asserted is instructed by you. 


Regards, 
Google 


Mon, Dec 16, 2019, 11:31 AM 


B032 


johnnyryan1@gmail.com 

Contact Us Form 

Email address 

johnnyryan1@gmail.com 

Please select your country of residence 

Ireland 

About which Google product are you inquiring? 
Other 

What personal data are you seeking? 

| have downloaded my data from Google's tool, but this does not tell me what you do with the 
data, or who you let access it. 


Looking at the GDPR, Article 15 says | have the right to know the purposes for which information 
are processed, and the legal basis for each purpose. 
Please send this information. This request concerns all Google services. 


| have already made this request to Google on 15 October 2019, your reference 7- 
2423000028191. The 30 days allowed for response have elapsed long ago. Therefore | ask for 
your reply within 7 days of today, 16 December 2019. 
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HNK LITIGATION 


2 John Street 
London 
WC1N 2ES 


Data Protection Office 
Google 


By email: data-protection-office@google.com 13 February 2020 


Our ref: RAN/OO009-Ryan 


Dear Sir / Madam 
Dr Johnny Ryan 


1. We write further to our letter before claim of 28 January 2020 and your responses of 
11 February 2020. We enclose a copy of our letter of 28 January 2020 for ease of 


reference. 


2. Assetoutin our letter of 28 January 2020, this matter has been ongoing for a number 
of months with our client first making requests to Google on 7 October 2019 (130 
days ago, at the time of writing). Regrettably and despite that long history, your 
responses have not adequately or appropriately addressed any of the matters raised 
in our letter of 28 January 2020 or the prior correspondence from Dr Ryan. In 


particular: 


i. You have for the second time stated that you “do not agree with [our] assertions 
regarding the alleged inadequacy of the Google privacy policy and Google 
privacy practices generally”. However, you have not explained why you do not 
agree despite being expressly asked to do so. This is unacceptable, particularly 


in light of our client’s proposed further action. 


HNK Litigation | SRA number: 666285 
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ii. You have reiterated that you “reserve your position” but have not explained why 
you are reserving that position or what the trigger would be for you to explain 
your position. We presume that you are reserving that position for any further 
proceedings, but our client has made clear that he intends to seek redress from 
elsewhere if you continue to fail to engage with his requests. It would therefore 
be appropriate for you to explain your position now, if you are able to. Indeed, 
it is striking and curious that you have been unable to defend any allegation put 


you. If you have a cogent and proper response, you should provide it. 


iii. The substantive response provided to our client on legal bases stated “you can 
find information on the legal grounds relied upon to legitimize processing in the 
section “European requirements” of the Google Privacy Policy.” As our client 
laid out in detail in his letter of 28 January 2020, this is not correct. Google’s 
Privacy Policy is defective and does not comply with the GDPR as it does 
explain the lawful base for each processing purpose. This is a basic failure to 
comply with the GDPR, which our client sought you to rectify through his 
correspondence. Instead, you referred him back to the very policy that he was 


complaining about. Your reasoning is circular and unsustainable. 


iv. You state “All of the processing purposes are detailed in the Google Privacy 
Policy.” As set out in exhaustive detail in our letter of 28 January 2020, the 
Google Privacy Policy does not provide sufficient information on processing 
purposes. In particular, the Google Privacy Policy is so defective as to replicate 
the “poor practice” examples of a policy set out by the Article 29 Working Party’ 
(as it was then called). Despite Dr Ryan instructing lawyers to raise these 
matters with you on three separate occasions over the last three months, you 
have not sought to rectify this deficiency but continually refer our client back to 
your flawed Privacy Policy. Again, this is circular reasoning and does not 
address our client’s concerns. You have simply not provided any further detail 


to our client. 





1 Guidelines on Transparency under Regulation 2016/679 (WP260 rev.01) (available at: 
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227) 
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In sum, you continue to fail to (1) comply with your transparency requirements under 
the GDPR and (2) satisfy our client's subject access requests. Our client has been 
more than indulgent to you in order to receive these answers, only to be met with 
defective and deficient responses from you at every stage. Your responses to date 
have been circular and deliberately obtrusive. It is notable that Google have not put 
forward any defence to the matters raised by our client and you have instead referred 
our client back to the very policies and tools that have given rise to our client’s clearly 
articulated concerns. We presume that if you had a defence and appropriate reply, 
you would have provided the same by now. Your attempts to “reserve your position” 
to this end are flawed and not an appropriate response to the correspondence sent 
to date. Google is not above the law and you are strongly urged to seek legal advice 
about the matters raised in this letter and our letter of 28 January 2020. 


To be clear, if you cannot provide adequate and appropriate responses, our client 
intends to seek redress for these matters though a regulatory complaint and / or 


court proceedings. 


Our client is committed to dealing with this matter cooperatively, if possible. 
Accordingly, and in a final attempt to deal with this matter through correspondence, 
our client requests your full and substantive response to his letter before claim of 28 
January 2020 within 5 days of this letter. A copy of that letter is enclosed for ease of 


reference. 


In the event that you continue to fail to engage with those requests, our client will 
take appropriate steps to enforce his rights without further recourse to you. We hope 
that instead you will take this matter seriously and provide our client with a full and 
adequate response to the letter of 28 January 2020. Please provide your response 
by 18 February 2020, failing which our client will be forced to seek redress from 
supervisory authorities and / or the courts. 
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7. You will note that this correspondence and your wilful disregard of your legal 
obligations will be a central consideration of any further steps that our client is 
required to take. Your conduct will also be used when determining costs, should any 
further proceedings be necessary. 


We look forward to hearing from you. 


Yours faithfully 


HNK Litigation 


B037 


Subject: Re: Your reference RAN/00009-Ryan 

Date: Friday, 21 February 2020 at 18:16:37 Greenwich Mean Time 
From: data-protection-office@google.com 

To: Ravi Naik 


Dear Sirs 
We refer to your correspondence of 13 and 19 February 2020. 


We do not agree with your assertions regarding the alleged inadequacy of the Google privacy policy and Google 
privacy practices generally, and reserve our position accordingly. 


Yours faithfully 


Google 


On Wed, Feb 19, 2020 at 09:29 UTC "Ravi Naik" <ravi@awo.legal> wrote: 


Dear Sir / Madam 


We write further to our letter of 13 January 2020, as enclosed for your ease of reference. 


We have not received any response from you to that correspondence. We take your failure to respond as a 
concession that you have no answer to the matters raised in our clients correspondence. We are accordingly 
instructed to take matters further and will rely on your failure to respond as acceptance that you have no 
defence to our client’s concerns. 


Yours sincerely 


Ravi Naik 


Ravi Naik 
Director | AWO 


Tel: 07966143682 


This email (including attachments) is confidential and may be privileged. If you have received this email in error, please notify AWO 
immediately. You may not copy, forward, disclose or otherwise use any part of it. It is the responsibility of the recipient to ensure that this 
email is virus free and no responsibility is accepted by AWO for any loss or damage arising in any way from receipt or use of it. Emails are 
susceptible to interference. The contents of this email may not have originated from AWO, or be accurately reproduced. If verification is 
required, please request a hard-copy version. 
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Subject: Re: Your reference RAN/O0009-Ryan 

Date: Monday, 24 February 2020 at 10:31:36 Greenwich Mean Time 
From: Ravi Naik 

To: data-protection-office@google.com 

BCC: Johnny Ryan 


Dear Sir / Madam 
We note your response below and that you “reserve [your] position”. 


We have asked you on several occasions to explain why you disagree with our client’s concerns. You have 
failed to do so. We have also repeatedly asked you to explain what event you are reserving your position for. 
You have again failed to do so. We assume you have failed to engage as you have no defence to our client’s 
concerns and claims. 


Your responses to date have been inadequate and you have wilfully disregarded our client’s reasonable 
requests. 


Our client has tried to cooperate with you and seek your position through correspondence, which you have 
consistently failed to provide. Given your conduct to date, we do not envisage receiving any substantive or 
pragmatic response from you. In these circumstances, you leave our client with no alternative option than to 
seek redress from elsewhere. We will of course rely on our correspondence when considering your conduct and 
position to date. 


Yours sincerely 


Ravi Naik 


Ravi Naik 
Director | AWO 


Tel: 07966143682 

This email (including attachments) is confidential and may be privileged. If you have received this email in error, please notify AWO immediately. 
You may not copy, forward, disclose or otherwise use any part of it. It is the responsibility of the recipient to ensure that this email is virus free 
and no responsibility is accepted by AWO for any loss or damage arising in any way from receipt or use of it. Emails are susceptible to 
interference. The contents of this email may not have originated from AWO, or be accurately reproduced. If verification is required, please 
request a hard-copy version. 


From: "data-protection-office@google.com" <data-protection-office@google.com> 
Date: Friday, 21 February 2020 at 18:16 

To: Ravi Naik <ravi@awo.legal> 

Subject: Re: Your reference RAN/OO009-Ryan 


Dear Sirs 
We refer to your correspondence of 13 and 19 February 2020. 


We do not agree with your assertions regarding the alleged inadequacy of the Google privacy policy and Google 
privacy practices generally, and reserve our position accordingly. 


Yours faithfully 


Google 
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